For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

tiwang's avatar
tiwang
Icon for Nimbostratus rankNimbostratus
Jun 07, 2013

SSO for webserver

Hi out there     I need an idea how I can awoid my users in cheating me.   I have a SSO setup where I through a client initiated webform do a SSO login to a webserver. After this the APM j...
config
design
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jun 11, 2013
This is a tough one. An APM session is generally maintained by a session-based browser cookie, and it is the browser's behavior to share that memory space across windows/tabs that allows a second window to proceed past the initial access policy evaluation. I have two initial thoughts:

 

 

1. Is the application's logon page something distinct (ex. /logon.aspx) that no one would need to access unless attempting to logon?

 

 

2. The SSO profile should be perpetual. It should detect any request, at any time, to the logon page and submit the credentials so that the user never sees it. Can you elaborate on how logon is performed and how the SSO is configured?